I'm trying to increase security on my servers and desktops but users need
admin privileges to run certains 3rd party applications. Is there anyway they
can run the apps while at the same time minimising their privileges?

Thanks

Only if you can adjust the necessary file and/or Registry permissions to allow the program to do what needs to be done.

Other than that, you can use RUNAS, but that can expose the administrator level user's password, so is pretty pointless from a security standpoint.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Fintrax" > wrote in message ...
> I'm trying to increase security on my servers and desktops but users need
> admin privileges to run certains 3rd party applications. Is there anyway they
> can run the apps while at the same time minimising their privileges?
>
> Thanks

Fintrax wrote:
> I'm trying to increase security on my servers and desktops but users need
> admin privileges to run certains 3rd party applications. Is there anyway they
> can run the apps while at the same time minimising their privileges?
>
> Thanks


You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions. (Games
are particularly likely to follow this horrible practice.)

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."



--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrum Russell

The recent article below on find and fix LUA bug may be helpful.

http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/

The first places to check are permissions for the application registry keys
in HKLM\software, the application subfolder in the \program files folder,
any application subfolder in the \program files\common files folder, and any
application subfolder in the \documents and settings\all users\application
data folder. User may need more than the typical read/list/execute and may
need read/list/execute/write/modify. There are also two free utilities from
SysInternals/Microsoft called regmon and filemon. You can logon as the
regular user and then invoke either one with runas specifying administrator
credentials just before you start the application and stop logging as soon
as the application fails. Then check the log for filemon or regmon looking
for access denied errors, find the object that access is denied to, adjust
permissions and try again. It is helpful to configure the highlight/filter
option in filemon to highlight access denied as there can be thousands of
entries in the log very quickly.

You can also enable auditing on the computer you are trying to get the
application to work for regular users so that auditing is enabled for
privilege user and object access for failure only. If privilege use failures
are recorded at the time the application fails you can give the user/group
the privilege [user right] that is needed via Local Security Policy to see
if that allows the application to work. Object access failures that appear
when the application fails that reference access to service control manager
mean that application will probably not work unless the user is a local
administrator. You also should contact the publishers of the applications to
solicit their help in resolving the problem of use by non administrators. If
they will not or can not help express great dissatisfaction that their
application causes a security problem and that you probably will not be able
to use their products in the future due to their lack of concern of security
issues.

Steve


"Fintrax" > wrote in message
...
> I'm trying to increase security on my servers and desktops but users need
> admin privileges to run certains 3rd party applications. Is there anyway
> they
> can run the apps while at the same time minimising their privileges?
>
> Thanks

Fintrax wrote:
> I'm trying to increase security on my servers and desktops but users need
> admin privileges to run certains 3rd party applications. Is there anyway they
> can run the apps while at the same time minimising their privileges?
>

You can give an application admin rights with the tool runasspc at
www.robotronic.de/runasspcen.html

> Fintrax wrote:
> > I'm trying to increase security on my servers and desktops but users need
> > admin privileges to run certains 3rd party applications. Is there anyway they
> > can run the apps while at the same time minimising their privileges?
> >

google for DropMyRights, from MS.

a MUST-HAVE for IE when run on XP Home (since home users are admins by
default). If you use Outlook or another pop3 mailer it's good for that
too, will prevent baddies from accomplishing much.